Developing measurement techniques to ensure risk culture and organizational culture align

Lisa McArthur, Head of Conduct, Compliance & Operational Risk Standards and Capability, Lloyds Banking Group

Below is an insight into what can be expected from Lisa’s session at New Generation Operational Risk Europe 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

What is the importance of conducting behaviour and culture assessments?

To answer this, it’s helpful to start by differentiating between ‘behaviour’ and ‘culture’:

  • ‘Behaviour’ relates to how individuals and organisations act and interact.
  • Culture’ relates to the values and beliefs shared by a group, which in turn influence how individuals and the organisation behave.

There are various reasons that behaviour and culture assessments should be a key consideration in how we manage our businesses.  Here are just a few:

  • We want to do the right thing – our organizations don’t operate in isolation; how they act can significantly impact our external environment. Seeking to purposefully nurture a healthy culture is an ethical and social responsibility for every organization.
  • We want to understand if we’re moving in the right direction – assessments can provide deep insight into how culture is either helping or deterring achievement of our organization’s strategic objectives.
  • We want to attract and retain great employees – culture matters when choosing an employer. A recent survey reported more than 80% of employees felt a healthy organizational culture was a key factor in deciding which companies they would work for.
  • We want to differentiate ourselves – in a highly competitive market, a healthy culture can help an organization stand out by harnessing the full potential of its people.   Simply by ‘being more’ … more customer-focused, more outcomes driven, more innovative, more agile.
Why is it difficult to assess behaviour and culture of your employees?

For me there are two broad reasons.

  1. Choosing ‘what’ to assess and ‘how’ to assess can be tricky.

There’s a full spectrum of approaches ranging from light touch desktop exercises through to detailed behavioural diagnostics.  I’ve found a blended approach, using a range of different assessments, to be the most insightful and value-adding.

  1. You’re assessing something that’s dynamic.

Behaviours and culture are influenced by internal and external factors on an ongoing basis.  Here are a couple of examples which may resonate with you:

  • During the pandemic, extreme change to the external environment meant organizations and their employees had to adapt quickly to find different ways to meet the needs of customers and clients. In order to adapt, our behaviours (how we acted) had to change, and organizational cultures had to shift to encourage this to happen.
  • New leadership can create changes in an organization’s internal environment e.g., new vision, purpose and strategy will likely influence the behaviours, values and beliefs needed to help the organization achieve its new goals.
What does a healthy risk culture look like, and how can this be embedded?

A good example of a healthy organizational culture is where the behaviours and values of the people and the organization are aligned to achieve its strategic goals … in other words, everyone is pulling in the same direction.  Diversification of your workforce to reflect your customer base plays a massive part in helping achieve this.

Looking specifically at risk culture / risk mindset, this is a sub-set of organizational culture.  I’d describe a healthy risk mindset as one where employees:

  • Take ownership of managing risk
  • Have open and balanced conversations about risks
  • Try to identify risks and manage them before they happen
  • Work collaboratively with others across teams to manage risks
  • Are comfortable to make mistakes and look to learn from them

Once you’re clear on risk mindset outcomes for your organization, such as the ones above, these can be embedded through:

  • Communications – top-down role-modelling of the desired outcomes and behaviours
  • Training – ensuring employees understand and have the capability to adopt the risk mindset
  • Frameworks and Tooling – these need to be designed to encourage the risk mindset behaviours you want rather than contradict e.g., ensuring frameworks are communicated in language our businesses recognise and are clear on how great risk management drives tangible value
  • Performance and Remuneration – recognising colleagues for the right behaviours
  • Recruitment – looking beyond technical skills alone to consider applicants that fit with the desired risk mindset/culture
What is a risk culture dashboard, and how can institutions build their own?

A risk culture dashboard is a suite of metrics that provides information and insight on how well risk is understood, identified, assessed and managed within the organization.

First step in building a dashboard is to determine the types of risks that are key to the organization.

Next, consider what needs to be measured to understand the behaviours, values and beliefs behind these risk types. Here are just a few measurement examples to bring this to life:

  • Number and scale of events and near-misses, and cost of operational losses
  • Call waiting times
  • Speed at which complaints are resolved for customers
  • Number of incidents impacting service availability to customers
  • Timeliness of updates/responses to the regulator
  • % Improvements to key control environment over time
  • Number of recurring events and near-misses

Once the metrics are determined it’s a matter of operationalising the production and analysis of the data on a regular basis to derive value-adding insight on performance and trends over time.

Also look for interrelationships between the metrics e.g., if there is a deterioration in metric X and this creates a deterioration in metric Y.   Identifying these connections helps to deepen your understanding of how your risk culture pieces together and what’s influencing any shifts.

How can behaviour assessments be implemented?

Start by considering how in-depth you want the behaviour assessment to be.  Remember, the approaches range from lighter touch to more comprehensive.  To help you decide, be clear on the benefits and the limitations of different approaches.

If you have the scope to do so, it’s worth considering how you can combine different approaches to build a comprehensive view of your organization’s risk culture and the behaviours underpinning it e.g.

  • Risk Culture Dashboard (monthly)
  • Colleague Engagement Survey (intra-year/annual)
  • Behavioural diagnostic to measure movement in employee and organization behaviours over time (every 2–3 years)

And remember, actions to transform behaviours and risk mindset do take time and effort to embed. It takes patience … and data.  The deeper the insight you have on your organization’s culture and behaviours, the easier it is to see which levers you should pull to achieve desired and sustainable risk mindset shifts.